diff --git a/doc/common/section_keystone_config_ldap-assignments.xml b/doc/common/section_keystone_config_ldap-assignments.xml
index 2ae7ff575e..89e7f51a28 100644
--- a/doc/common/section_keystone_config_ldap-assignments.xml
+++ b/doc/common/section_keystone_config_ldap-assignments.xml
@@ -4,57 +4,137 @@
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="configuring-keystone-for-ldap-backend-assignments">
-Separate role authorization and user authentication
- When you configure the Identity service to use LDAP back
- ends, you can split authentication and authorization using the
- Assignments feature.
- The Assignments feature enables administrators to manage
- project role authorization using the Identity service SQL
- database, while still providing user authentication through the
- LDAP directory.
- To configure this:
+ Integrate assignment back end with LDAP
+ When you configure the OpenStack Identity service to use LDAP
+ servers, you can split authentication and authorization using the
+ assignment feature. Integrating the
+ assignment back end with LDAP allows administrators to use
+ projects (tenant), roles, domains, and role assignments
+ in LDAP.
+
+ Using LDAP as an assignment back end is not recommended.
+
+
+ The OpenStack Identity service does not support domain-specific
+ assignment back ends.
+
+
+ For OpenStack Identity assignments to access LDAP servers, you
+ must define the destination LDAP server in
+ the keystone.conf file. For more information,
+ see .
+
- Separating role authorization and user authentication
- through Assignments
- Modify the /etc/keystone/keystone.conf
- configuration file for a single LDAP server, or
- etc/domains/keystone.DOMAIN_NAME.conf
- files for multiple LDAP back ends, performing the following actions:
-
- Configure the Identity service to authenticate users
- through the LDAP driver. In the [identity] section, set
- the driver configuration key to
- keystone.identity.backends.ldap.Identity:
-
- [identity]
-driver = keystone.identity.backends.ldap.Identity
-
- Enable the Assignment driver. In the
- [assignment] section, set the driver
- configuration key to keystone.assignment.backends.sql.Assignment:
-
- [assignment]
-driver = keystone.assignment.backends.sql.Assignment
-
+ Integrating assignment back ends with LDAP
+
+ Enable the assignment driver. In the
+ [assignment] section, set the
+ driver configuration key to
+ keystone.assignment.backends.sql.Assignment:
+ [assignment]
+#driver = keystone.assignment.backends.sql.Assignment
+driver = keystone.assignment.backends.ldap.Assignment
+
+
+ Create the organizational units (OU) in the LDAP
+ directory, and define their corresponding location in
+ the keystone.conf file:
+ [ldap]
+role_tree_dn =
+role_objectclass = inetOrgPerson
+
+project_tree_dn = ou=Groups,dc=example,dc=org
+project_objectclass = groupOfNames
+
+ These schema attributes are extensible for
+ compatibility with various schemas. For example,
+ this entry maps to the
+ groupOfNames attribute in
+ Active Directory:
+ project_objectclass = groupOfNames
+
+
+
+ A read-only implementation is recommended for LDAP
+ integration. These permissions are applied to object
+ types in the keystone.conf
+ file:
+ [ldap]
+role_allow_create = False
+role_allow_update = False
+role_allow_delete = False
+
+project_allow_create = False
+project_allow_update = False
+project_allow_delete = False
+
+
+ Restart the OpenStack Identity service:
+ #service keystone restart
+ During service restart, authentication and
+ authorization are unavailable.
+
- On
- distributions that include
- openstack-config, you can
- configure both drivers by running the following commands.
-
-
- For a single LDAP server:
- #openstack-config --set /etc/keystone/keystone.conf \
-identity driver keystone.identity.backends.ldap.Identity
-#openstack-config --set /etc/keystone/keystone.conf \
-assignment driver keystone.assignment.backends.sql.Assignment
-
-
- For multiple LDAP back ends:
-#openstack-config --set /etc/keystone/keystone.conf \
- identity driver keystone.identity.backends.ldap.Identity
- #openstack-config --set etc/domains/keystone.DOMAIN_NAME.conf \
- assignment driver keystone.assignment.backends.sql.Assignment
-
-
+
+ Additional LDAP integration settings
+ Set these options in the
+ /etc/keystone/keystone.conf
+ file for a single LDAP server, or
+ /etc/keystone/domains/keystone.
+ DOMAIN_NAME.conf
+ files for multiple back ends.
+
+
+
+ Filters
+
+ Use filters to control the scope of data
+ presented through LDAP.
+ [ldap]
+project_filter = (member=cn=openstack-user,ou=workgroups,dc=example,dc=org)
+role_filter =
+ Filtering method
+
+
+
+ Assignment attribute mapping
+
+ Mask account status values (include any additional
+ attribute mappings) for compatibility with various
+ directory services. Superfluous accounts are filtered with
+ user_filter.
+ Setting attribute ignore to list of attributes
+ stripped off on update.
+ [ldap]
+role_id_attribute = cn
+role_name_attribute = ou
+role_member_attribute = roleOccupant
+role_additional_attribute_mapping =
+role_attribute_ignore =
+
+project_id_attribute = cn
+project_name_attribute = ou
+project_member_attribute = member
+project_desc_attribute = description
+project_enabled_attribute = enabled
+project_domain_id_attribute = businessCategory
+project_additional_attribute_mapping =
+project_attribute_ignore =
+
+
+
+ Enabled emulation
+
+ An alternative method to determine if a project is
+ enabled or not is to check if that project is a
+ member of the emulation group.
+ Use DN of the group entry to hold enabled
+ projects when using enabled emulation.
+ [ldap]
+project_enabled_emulation = false
+project_enabled_emulation_dn = false
+
+
+
+
diff --git a/doc/common/section_keystone_config_ldap-identity.xml b/doc/common/section_keystone_config_ldap-identity.xml
new file mode 100644
index 0000000000..1ab441df96
--- /dev/null
+++ b/doc/common/section_keystone_config_ldap-identity.xml
@@ -0,0 +1,232 @@
+
+
+
+ Integrate identity back end with LDAP
+ The identity back end contains information for users, groups, and
+ group member lists. Integrating the identity back end with LDAP allows
+ administrators to use users and groups in LDAP.
+
+ For OpenStack Identity Service to access LDAP servers, you must
+ define the destination LDAP server in the
+ keystone.conf file. For more information, see
+ .
+
+
+ Integrating an identity back end with LDAP
+
+ Enable the LDAP identity driver in the
+ keystone.conf file. This allows LDAP as
+ an identity back end:
+ [identity]
+#driver = keystone.identity.backends.sql.Identity
+driver = keystone.identity.backends.ldap.Identity
+
+
+ Create the organizational units (OU) in the LDAP
+ directory, and define the corresponding location in
+ the keystone.conf file:
+ [ldap]
+user_tree_dn = ou=Users,dc=example,dc=org
+user_objectclass = inetOrgPerson
+
+group_tree_dn = ou=Groups,dc=example,dc=org
+group_objectclass = groupOfNames
+
+ These schema attributes are extensible for
+ compatibility with various schemas. For example,
+ this entry maps to the
+ person attribute in
+ Active Directory:
+ user_objectclass = person
+
+
+
+ A read-only implementation is recommended for LDAP
+ integration. These permissions are applied to object
+ types in the keystone.conf
+ file:
+ [ldap]
+user_allow_create = False
+user_allow_update = False
+user_allow_delete = False
+
+group_allow_create = False
+group_allow_update = False
+group_allow_delete = False
+
+
+ Restart the OpenStack Identity service:
+ #service keystone restart
+ During service restart, authentication and
+ authorization are unavailable.
+
+
+
+ Integrating identity with multiple back ends
+
+ Set the following options in the
+ /etc/keystone/keystone.conf file:
+
+
+ Enable the LDAP driver:
+ [identity]
+#driver = keystone.identity.backends.sql.Identity
+driver = keystone.identity.backends.ldap.Identity
+
+
+ Enable domain-specific drivers:
+ [identity]
+domain_specific_drivers_enabled = True
+domain_config_dir = /etc/keystone/domains
+
+
+
+
+ Restart the service:
+ # service keystone restart
+
+
+ List the domains using the dashboard, or the OpenStackClient
+ CLI. Refer to the Command List
+ for a list of OpenStackClient commands.
+
+
+ Create domains using OpenStack dashboard, or the
+ OpenStackClient CLI.
+
+
+ For each domain, create a domain-specific configuration
+ file in the /etc/keystone/domains directory.
+ Use the file naming convention keystone.DOMAIN_NAME.conf,
+ where DOMAIN_NAME
+ is the domain name assigned in the previous step.
+ The options set in the
+ /etc/keystone/domains/keystone.DOMAIN_NAME.conf
+ file will override options in the /etc/keystone/keystone.conf
+ file.
+
+
+ Define the destination LDAP server in the
+ /etc/keystone/domains/keystone.DOMAIN_NAME.conf file. For example:
+ [ldap]
+url = ldap://localhost
+user = dc=Manager,dc=example,dc=org
+password = samplepassword
+suffix = dc=example,dc=org
+use_dumb_member = False
+allow_subtree_delete = False
+
+
+ Create the organizational units (OU) in the LDAP
+ directories, and define their corresponding locations in
+ the /etc/keystone/domains/keystone.DOMAIN_NAME.conf
+ file. For example:
+ [ldap]
+user_tree_dn = ou=Users,dc=example,dc=org
+user_objectclass = inetOrgPerson
+
+group_tree_dn = ou=Groups,dc=example,dc=org
+group_objectclass = groupOfNames
+
+ These schema attributes are extensible for
+ compatibility with various schemas. For example,
+ this entry maps to the person
+ attribute in Active Directory:
+ user_objectclass = person
+
+
+
+ A read-only implementation is recommended for LDAP
+ integration. These permissions are applied to object
+ types in the /etc/keystone/domains/keystone.DOMAIN_NAME.conf
+ file:
+ [ldap]
+user_allow_create = False
+user_allow_update = False
+user_allow_delete = False
+
+group_allow_create = False
+group_allow_update = False
+group_allow_delete = False
+
+
+ Restart the OpenStack Identity service:
+ #service keystone restart
+ During service restart, authentication and
+ authorization are unavailable.
+
+
+
+ Additional LDAP integration settings
+ Set these options in the
+ /etc/keystone/keystone.conf
+ file for a single LDAP server, or
+ /etc/keystone/domains/keystone.
+ DOMAIN_NAME.conf
+ files for multiple back ends.
+
+
+
+ Filters
+
+ Use filters to control the scope of data
+ presented through LDAP.
+ [ldap]
+user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
+group_filter =
+
+
+
+ Identity attribute mapping
+
+ Mask account status values (include any additional
+ attribute mappings) for compatibility
+ with various directory services. Superfluous
+ accounts are filtered with
+ user_filter.
+ Setting attribute ignore to list of attributes
+ stripped off on update.
+ For example, you can mask Active Directory
+ account status attributes in the
+ keystone.conf
+ file:
+ [ldap]
+user_id_attribute = cn
+user_name_attribute = sn
+user_mail_attribute = mail
+user_pass_attribute = userPassword
+user_enabled_attribute = userAccountControl
+user_enabled_mask = 2
+user_enabled_invert = false
+user_enabled_default = 51
+user_default_project_id_attribute =
+user_attribute_ignore = default_project_id,tenants
+user_additional_attribute_mapping =
+
+group_id_attribute = cn
+group_name_attribute = ou
+group_member_attribute = member
+group_desc_attribute = description
+group_attribute_ignore =
+group_additional_attribute_mapping =
+
+
+
+ Enabled emulation
+
+ An alternative method to determine if a user is
+ enabled or not is by checking if that user is a
+ member of the emulation group.
+ Use DN of the group entry to hold enabled
+ user when using enabled emulation.
+ [ldap]
+user_enabled_emulation = false
+user_enabled_emulation_dn = false
+
+
+
+
diff --git a/doc/common/section_keystone_config_ldap.xml b/doc/common/section_keystone_config_ldap.xml
index b4858192c6..9e6a84cc45 100644
--- a/doc/common/section_keystone_config_ldap.xml
+++ b/doc/common/section_keystone_config_ldap.xml
@@ -5,189 +5,59 @@
version="5.0"
xml:id="configuring-keystone-for-ldap-backend">
Integrate Identity with LDAP
- Identity Service supports integration with existing LDAP
- directories for authentication and authorization
+ The Openstack Identity Service supports integration with
+ existing LDAP directories for authentication and authorization
services.
+ When the Openstack Identity service is configured to use LDAP
+ back ends, you can split authentication (using the
+ identity feature) and
+ authorization (using the
+ assignment feature).
+ The identity feature enables administrators to manage
+ users and groups by each domain or the Openstack Identity Service entirely.
+ The Assignments feature enables administrators to manage
+ project role authorization using the Openstack Identity service SQL
+ database, while providing user authentication through the
+ LDAP directory.
- For OpenStack Identity to access LDAP servers, you must
+ For OpenStack Identity service to access LDAP servers, you must
enable the boolean
- value for SELinux on the Identity server. To enable and
+ value for SELinux on the Openstack Identity server. To enable and
make the option persistent across reboots:#setsebool -P authlogin_nsswitch_use_ldap
+ Identity configuration is split into two separate back ends: identity
+ (back end for users and groups) and assignments (back end for domains,
+ projects, roles, role assignments). To configure identity, set options in the
+ /etc/keystone/keystone.conf file.
+ See
+ for identity back end configuration examples and
+
+ for assignment back end configuration examples.
+ Modify these examples as needed.
- You can integrate Identity with a single LDAP
- server, or multiple back ends using domain-specific configuration files.
+ Multiple back ends are supported. You can integrate the Openstack Identity service
+ with a single LDAP server (configure both identity and assignments to
+ LDAP, or set identity and assignments back end with SQL or LDAP),
+ or multiple back ends using domain-specific configuration files.
-
- To integrate Identity with a LDAP server
-
- Enable the LDAP driver in the
- /etc/keystone/keystone.conf file:
- [identity]
-#driver = keystone.identity.backends.sql.Identity
-driver = keystone.identity.backends.ldap.Identity
-
-
- Define the destination LDAP server in the
- /etc/keystone/keystone.conf file:
- [ldap]
-url = ldap://localhost
-user = dc=Manager,dc=example,dc=org
-password = samplepassword
-suffix = dc=example,dc=org
-use_dumb_member = False
-allow_subtree_delete = False
-
-
- Create the organizational units (OU) in the LDAP
- directory, and define their corresponding location in
- the keystone.conf file:
- [ldap]
-user_tree_dn = ou=Users,dc=example,dc=org
-user_objectclass = inetOrgPerson
-
-tenant_tree_dn = ou=Groups,dc=example,dc=org
-tenant_objectclass = groupOfNames
-
-role_tree_dn = ou=Roles,dc=example,dc=org
-role_objectclass = organizationalRole
-
- These schema attributes are extensible for
- compatibility with various schemas. For example,
- this entry maps to the
- person attribute in
- Active Directory:
- user_objectclass = person
-
-
-
- A read-only implementation is recommended for LDAP
- integration. These permissions are applied to object
- types in the keystone.conf
- file:
- [ldap]
-user_allow_create = False
-user_allow_update = False
-user_allow_delete = False
-
-tenant_allow_create = False
-tenant_allow_update = False
-tenant_allow_delete = False
-
-role_allow_create = False
-role_allow_update = False
-role_allow_delete = False
-
-
- Restart the Identity service:
- #service keystone restart
- During service restart, authentication and
- authorization are unavailable.
-
-
-
- To integrate Identity with multiple back ends
-
- Set the following options in the
- /etc/keystone/keystone.conf file:
-
-
- Enable the LDAP driver:
- [identity]
-#driver = keystone.identity.backends.sql.Identity
-driver = keystone.identity.backends.ldap.Identity
-
-
- Enable domain-specific drivers:
- [identity]
-domain_specific_drivers_enabled = True
-domain_config_dir = /etc/keystone/domains
-
-
-
-
- Restart the service:
- # service keystone restart
-
-
- List the domains using the dashboard, or the OpenStackClient
- CLI. Refer to the Command List
- for a list of OpenStackClient commands.
-
-
- Create domains using OpenStack dashboard, or the
- OpenStackClient CLI.
-
-
- For each domain, create a domain-specific configuration
- file in the /etc/keystone/domains directory.
- Use the file naming convention keystone.DOMAIN_NAME.conf,
- where DOMAIN_NAME
- is the domain name assigned in the previous step.
- The options set in the
- /etc/keystone/domains/keystone.DOMAIN_NAME.conf
- file will override options in the /etc/keystone/keystone.conf
- file.
-
-
+
+ To define the destination LDAP serverDefine the destination LDAP server in the
- /etc/keystone/domains/keystone.DOMAIN_NAME.conf file. For example:
- [ldap]
+ keystone.conf file:
+
+ [ldap]
url = ldap://localhost
user = dc=Manager,dc=example,dc=org
password = samplepassword
suffix = dc=example,dc=org
use_dumb_member = False
allow_subtree_delete = False
-
-
- Create the organizational units (OU) in the LDAP
- directory, and define their corresponding location in
- the /etc/keystone/domains/keystone.DOMAIN_NAME.conf
- file. For example:
+
+ Configure if you set to true.[ldap]
-user_tree_dn = ou=Users,dc=example,dc=org
-user_objectclass = inetOrgPerson
-
-tenant_tree_dn = ou=Groups,dc=example,dc=org
-tenant_objectclass = groupOfNames
-
-role_tree_dn = ou=Roles,dc=example,dc=org
-role_objectclass = organizationalRole
-
- These schema attributes are extensible for
- compatibility with various schemas. For example,
- this entry maps to the person
- attribute in Active Directory:
- user_objectclass = person
-
-
-
- A read-only implementation is recommended for LDAP
- integration. These permissions are applied to object
- types in the /etc/keystone/domains/keystone.DOMAIN_NAME.conf
- file:
- [ldap]
-user_allow_create = False
-user_allow_update = False
-user_allow_delete = False
-
-tenant_allow_create = False
-tenant_allow_update = False
-tenant_allow_delete = False
-
-role_allow_create = False
-role_allow_update = False
-role_allow_delete = False
-
-
- Restart the Identity service:
- #service keystone restart
- During service restart, authentication and
- authorization are unavailable.
-
-
+dumb_member = cn=dumb,dc=nonexistent
+
Additional LDAP integration settingsSet these options in the
@@ -197,34 +67,71 @@ role_allow_delete = False
- Filters
+ Query option
- Use filters to control the scope of data
- presented through LDAP.
+ Use
+ to control the scope level of data
+ presented (search only the first level or search an entire
+ sub-tree) through LDAP.
+ Use to control the maximum
+ results per page. A value of zero disables paging.
+ Use to control
+ the LDAP dereferencing option for queries.
+ Use to override the
+ system's default referral chasing behavior for queries.[ldap]
-user_filter = (memberof=cn=openstack-users,ou=workgroups,dc=example,dc=org)
-tenant_filter =
-role_filter =
+query_scope = sub
+page_size = 0
+alias_dereferencing = default
+chase_referrals =
- LDAP Account Status
+ Debug
- Mask account status values for compatibility
- with various directory services. Superfluous
- accounts are filtered with
- user_filter.
- For example, you can mask Active Directory
- account status attributes in the
- keystone.conf
- file:
+ Use to set
+ the LDAP debugging level for LDAP calls. A value of zero means that
+ debugging is not enabled.[ldap]
-user_enabled_attribute = userAccountControl
-user_enabled_mask = 2
-user_enabled_default = 512
+debug_level = 0
+ This value is a bitmask, consult your LDAP
+ documentation for possible values.
+
+
+
+ Connection pooling
+
+ Use to enable LDAP connection
+ pooling. Configure connection pool size, maximum retry,
+ reconnect trials, timeout (-1 indicates indefinite
+ wait) and lifetime in seconds.
+ [ldap]
+use_pool = true
+pool_size = 10
+pool_retry_max = 3
+pool_retry_delay = 0.1
+pool_connection_timeout = -1
+pool_connection_lifetime = 600
+
+
+
+ Connection pooling for end user authentication
+
+ Use to enable LDAP
+ connection pooling for end user authentication.
+ Configure connection pool size and lifetime in seconds.
+ [ldap]
+use_auth_pool = false
+auth_pool_size = 100
+auth_pool_connection_lifetime = 60
+ When you have finished configuration, restart the Openstack Identity service:
+ #service keystone restart
+ During service restart, authentication and
+ authorization are unavailable.
+